I posted messages to both OpenBSD and FreeBSD lists (thanks to those who helped).

I asked on my two favourite IRC channels (they know who they are).

The first glimmer of hope

Odinn and I were discussing this problem. He suggested I start comparing the two
boxes for differences. We started looking at various things, configuration files,
etc. I noticed sshd was different in size.

The main issue here is the libwrap line. The good box was using the tcp wrappers
library which was supplied as part of the FreeBSD base system. The bad box was using
the library supplied with the tcp_wrappers port. That’s the problem!

Description of the problem

The problem was caused by the existance of two tcp_wrapper libraries on the same
box. One library (libwrap.so.2) was supplied as part of the base
FreeBSD system. The other (libwrap.so.7) was installed as part of
the tcp wrapper port.

When I built OpenSSH 1.2.1, the sshd
binary was linked against libwrap.so.7. The tcp_wrapper check
would have tried to read /usr/local/etc/hosts.allow, which did not exist on my
box, and would have failed. The file descriptor was closed because of this error.
A read was later attempted with that closed file descriptor. This read
failed, which in turn, generated the error (ssh_exchange_identification: read: No such
file or directory).

So here is a brief outline of what was happening during my ssh connection attempt:

sshd asks tcp_wrappers: "how about this connection?"

tcp_wrappers looks at /usr/local/etc/hosts.allow

the file doesn’t exist

tcp_wrappers finds no rules allowing this connection

tcp_wrappers replies to sshd "no way! this connection can’t happen!"

sshd says, "sorry, you can’t connect".

Fixing it

The first part of fixing this was to remove the tcp_wrappers port. I
first found out which version of tcp_wrappers I had installed, then removed it:

The next step was to ensure hosts.allow was where it should be. I
found hosts.allow in /etc/ on my box and not in /etc/user/local/etc/.
So I didn’t have to change anything there. I had previously ensured that my
/etc/inetd.conf was up to date with the latest tcp_wrapper requirements (see man
inetd.conf) and my article on tcp_wrappers may also be
useful.

Note that the default /etc/hosts.allow file allows *everything*. There
are many interesting examples in there and you should customize it according to your
needs.